Configuring IAM Roles for S3 as Source

Updated 

1 month ago

The Unified Data Connector module allows you to configure an S3 bucket as a source using IAM roles, ensuring secure data sharing without exposing AWS Access Key ID and Secret Key. IAM roles can be configured to connect Unified Data Connector with the S3 bucket.

This article consists of the following sections:

Configuration Process

In Sprinklr, applications run on three types of cloud storage services: Amazon AWS, Microsoft Azure, and Google Cloud Storage. The configuration steps vary based on the platform's operating environment.

The following table lists the environments and the corresponding cloud storage service on which they are hosted:

Environment

Hosted on

Prod

AWS

Prod2

Azure

Prod3

Azure

Prod4

AWS

Prod5

AWS

Prod6

AWS

Prod8

GCP

Prod11

AWS

Prod12

AWS

Prod15

AWS

Prod16

Azure

Prod17

GCP

Prod18

Azure

Prod19

Azure

Prod21

AWS

Configuring S3 bucket for AWS environment

Perform the following steps to configure S3 bucket for AWS anvironment.

Step 1: Define a Trust Relationship in Your S3 Bucket’s IAM Role

To allow Sprinklr to access the IAM role associated with your S3 bucket, you need to update the Trust Policy.

  1. Navigate to the AWS IAM Console and then click Roles.

  2. Select the IAM Role that has access to your S3 bucket.

  3. Click on the Trust Relationships tab and then click Edit trust policy.

  4. Ensure the policy includes the ARN of the role provided by Sprinklr and grants permission for Sprinklr’s role to inherit it.

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Effect": "Allow",

    "Principal": {

    "AWS": "arn:aws:iam::<Sprinklr-Account-ID>:role/<Sprinklr-Role-Name>"

    },

    "Action": "sts:AssumeRole"

    }

    ]

    }

    Note: Sprinklr provides the ARN of the IAM role that needs access to your S3 bucket. This configuration allows Sprinklr to inherit the role and interact with S3 data securely.

    1. Click Update Trust Policy to save the changes.

      The following table lists the IAM roles and the respective AWS Prod environments. Enter the following IAM role in the Source Specific Settings screen of UDC based on the AWS prod enviornment.

      AWS environment

      IAM role

      Prod4

      arn:aws:iam::170450182475:role/spr-prod4-data-connector

      Prod5

      arn:aws:iam::637423527104:role/spr-prod5-data-connector

      Prod6

      arn:aws:iam::283016501690:role/spr-prod6-data-connector

      Prod11

      arn:aws:iam::365282317173:role/spr-prod11-data-connector

      Prod12

      arn:aws:iam::869367471674:role/spr-prod12-data-connector

      Prod15

      arn:aws:iam::653661179041:role/spr-prod15-data-connector

      Prod21

      arn:aws:iam::195275654930:role/spr-prod21-data-connector

Step 2: Assign Required Permissions to the Role

Ensure that the IAM role associated with your S3 bucket has the necessary permissions for Sprinklr to fetch, store, and manage files.

  1. Navigate to AWS IAM ConsoleRolesPermissions.

  2. Attach a policy that grants atleast the following S3 permissions:

    s3:GetObject (Read access)

    s3:PutObject (Write access)

    s3:DeleteObject (Delete access)

  3. Save the policy.

Step 3: Verify Access with Sprinklr

Enter the IAM role ARN in the Source Specific Settings screen while configuring Unified Data Connector.

Configuring S3 bucket for GCP environment

Perform the following steps to configure S3 bucket for GCP anvironment

Step 1: Define a Trust Policy in Your S3 Bucket’s IAM Role

To allow Sprinklr to access the IAM role associated with your S3 bucket, you need to update the Trust Policy.

  1. Navigate to AWS IAM ConsoleRoles.

  2. Select the IAM role that is associated with your S3 bucket.

  3. Click on the Trust Relationships tab and then select Edit trust policy.

  4. Update the trust policy by adding the following condition:

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Effect": "Allow",

    "Principal": {

    "Federated": "accounts.google.com"

    },

    "Action": "sts:AssumeRoleWithWebIdentity",

    "Condition": {

    "StringEquals": {

    "accounts.google.com:sub": "{sub}"

    }

    }

    }

    ]

    }

    Note:

    • The values for {tenant}, {aud}, and {sub} are listed in a table in Step 2.

    • These values ensure that only authorized requests from Sprinklr’s environment in GCS can access your bucket.

  5. Click Save Policy to apply the changes.

Step 2: Assign Required Permissions

Ensure that the IAM role associated with your S3 bucket has the following permissions for Sprinklr’s access:

  • s3:GetObject (Read access)

  • s3:PutObject (Write access)

  • s3:DeleteObject (Delete access)

If necessary, update the Bucket Policy under Amazon S3 ConsolePermissionsBucket Policy and add the appropriate actions.

The following table lists the Tenant ID for respective prod environments: bc14634e-db9f-4229-8cf0-68a87acd2f98

Environment

Values

prod8

sub: 100636600764346822243

prod17

sub: 106992939991065002332

prod19

sub: 113128329212551562743

Step 3: Verify Access with Sprinklr

Enter the IAM role ARN in the Source Specific Settings screen while configuring Unified Data Connector.

Configuring S3 bucket for Azure environment

Perform the following steps to configure S3 bucket for Azure anvironment

Step 1: Define a Trust Policy in Your S3 Bucket’s IAM Role

To allow Sprinklr to access the IAM role associated with your S3 bucket, you need to update the Trust Policy.

  1. Navigate to AWS IAM ConsoleRoles.

  2. Select the IAM role that is associated with your S3 bucket.

  3. Click on the Trust Relationships tab and then select Edit trust policy.

  4. Update the trust policy by adding the following condition:

    "Condition": {

    "StringEquals": {

    "sts.windows.net/{tenant}/:aud": [

    "{aud}"

    ],

    "sts.windows.net/{tenant}/:sub": "{sub}"

    }

    }

    Note:

    • The values for {tenant}, {aud}, and {sub} are listed in a table in Step 2.

    • These values ensure that only authorized requests from Sprinklr’s environment in Azure Blob can access your bucket.

  5. Click Save Policy to apply the changes.

Step 2: Assign Required Permissions

Ensure that the IAM role associated with your S3 bucket has the following permissions for Sprinklr’s access:

  • s3:GetObject (Read access)

  • s3:PutObject (Write access)

  • s3:DeleteObject (Delete access)

If necessary, update the Bucket Policy under Amazon S3 ConsolePermissionsBucket Policy and add the appropriate actions.

The following table lists the Tenant ID for respective prod environments: bc14634e-db9f-4229-8cf0-68a87acd2f98

Environment

Values

prod18

client id (aud ) : b767c7c4-5c29-4db2-a21a-9ce46b13eea2

object id (sub ) : 6db5f7be-61fe-420b-8dbc-68054169ebb5

prod16

client id (aud ) : 40d3c198-5833-43f8-bf63-75ffdd46dcc9

object id (sub ) : 1e91ebdb-68a8-444a-88ec-25327f06a12f

prod3

client id (aud ) : 28b2faf9-124d-4a58-a5d8-e60b3a96c666

object id (sub ) : c5636ba1-f21f-4de1-997d-e840eb0b2f84

prod2

client id (aud ) : 79825178-b33f-4f16-af3b-179607e67f67

object id (sub ) : 0938112f-988e-44bd-998d-b4302a975bad

Step 3: Verify Access with Sprinklr

Enter the IAM role ARN in the Source Specific Settings screen while configuring Unified Data Connector.

Was this article helpful?

Related Articles

Loading...